Authlib

This hub aggregates every CVE we track for Authlib, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 12 most recently published vulnerabilities affecting Authlib.

• CVE-2026-41479Authlib OAuth 2.0 authorization endpoint open redirects to attacker-controlled redirect_uri on unsupported response_type5.4Jun 22, 2026
• CVE-2026-44681Authlib: Open Redirect in Authlib OIDC Implicit/Hybrid Authorization6.1May 27, 2026
• CVE-2026-41425Authlib: Cross-site request forging when using cache5.4Apr 24, 2026
• CVE-2026-28498Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding7.5Mar 16, 2026
• CVE-2026-28490Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle6.5Mar 16, 2026
• CVE-2026-27962Authlib JWS JWK Header Injection: Signature Verification Bypass9.1Mar 16, 2026
• CVE-2026-28802Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification9.8Mar 6, 2026
• CVE-2025-68158Authlib: 1-click Account Takeover5.7Jan 8, 2026
• CVE-2025-62706Authlib : JWE zip=DEF decompression bomb enables DoS6.5Oct 22, 2025
• CVE-2025-61920Authlib is vulnerable to Denial of Service via Oversized JOSE Segments7.5Oct 10, 2025
• CVE-2025-59420Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)7.5Sep 22, 2025
• CVE-2024-37568lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key....7.5Jun 9, 2024